1.3k likes | 1.38k Views
IEC 61508: UNDERSTANDING THE STANDARD AND ITS PLACE IN SAFETY ENGINEERING AND MANAGEMENT. Felix Redmill Redmill Consultancy, London Felix.Redmill@ncl.ac.uk. TOPICS COVERED. Background to the standard What the standard is and what its aims are Structure of the standard
E N D
IEC 61508:UNDERSTANDING THE STANDARDAND ITS PLACE INSAFETY ENGINEERING AND MANAGEMENT Felix Redmill Redmill Consultancy, London Felix.Redmill@ncl.ac.uk
TOPICS COVERED • Background to the standard • What the standard is and what its aims are • Structure of the standard • Vocabulary and definitions • The safety lifecycle • Hazard and risk analysis • Safety integrity levels (SILs) • Safety requirements • Safety planning • The standard's requirements for documentation • Claiming conformance to the standard • The standard's requirements on management • Independent safety assessment • Benefits and limitations CERN, May '11
RANDOM AND SYSTEMATIC FAILURES • Random hardware failure [4: 3.6.5] Failure, occurring at a random time, that results from one or more of the possible degradation mechanisms in the hardware • Systematic failure [4: 3.6.6] Failure, related in a deterministic way to a certain cause, that can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors CERN, May '11
BACKGROUND TO IEC 61508 • Middle-to-late 1980s: Work on safety-related systems in the International Electrotechnical Committee, SC 65A WG9 (Software) and WG10 (Systems) • November 1991: Publication of ‘Software for Computers in the Application of Industrial Safety-related Systems’ IEC SC 65A WG9 Draft Document • January 1992: Publication of ‘Functional Safety of Electrical/Electronic/Programmable Electronic Systems; General Aspects: Part 1, General Requirements’ IEC SC 65A WG10 Draft Document CERN, May '11
BACKGROUND TO IEC 61508 – Contd. • June 1995: Publication of ‘IEC 1508 — Functional Safety: safety-related systems’ in 7 parts Prepared by Working Groups 9 and 10 of SC 65A’ • December 1997: Publication of 'IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems' Prepared by sub-committee 65A: System aspects • 1998 - 2000: All seven parts voted to status of standard • 2010: Publication of Edition 2, after several years of “maintenance” CERN, May '11
THE 7 PARTS OF THE STANDARD 1 General requirements (Normative, except Annexes) 2 Requirements for electrical/electronic/programmable electronic safety-related systems (Normative) 3 Software requirements (Normative) 4 Definitions and abbreviations (Normative) 5 Examples of methods for the determination of safety integrity levels (Informative) 6 Guidelines on the application of Parts 2 and 3 (Informative) 7 Overview of techniques and measures (Informative) • In total, more than 400 pages CERN, May '11
WHAT LIES BEHIND THE STANDARD • We require confidence of safety in advance, not retrospectively • We must not only achieve safety but also demonstrate it • Absolute safety (zero risk) cannot be achieved • So, we must make decisions on what risk is tolerable • Dispel the belief that ‘if we do it well it will be safe’ • Correct functionality safety • Therefore: see next slide CERN, May '11
WHAT LIES BEHIND THE STANDARD - 2 We must: • Understand the risks posed by our systems (plant, processes and products) • Reduce risks that are not tolerable • Specify safety requirements as well as (and independently of) functional requirements • Implement the safety requirements, and be confident that residual risks are tolerable • Employ independent safety assessment CERN, May '11
APPLICATION OF IEC 61508 • There is equipment under control (EUC) which, with its control system, poses risks to its surroundings • The risks will be reduced to tolerable levels by safety functions • Safety functions are performed by E/E/PE systems CERN, May '11
SCOPE OF IEC 61508 • The EUC and its control system have • Functional requirements, concerning what they must do • Non-functional requirements, such as power consumption • Safety requirements, to reduce risk • IEC 61508 addresses the safety requirements • In all lifecycle stages, from concept to decommissioning • Their provision in E/E/PE systems CERN, May '11
MEETING THE INTENT1 — Understanding the Risk The standard requires • Identification and analysis of the risks posed by the EUC • Decisions on what levels of risk are tolerable • Decisions on which risks should be reduced, and by how much CERN, May '11
MEETING THE INTENT2 — Safety-related systems • Risk reduction may be achieved by various means • This standard gives guidance on E/E/PE systems (There may be numerous hazards) CERN, May '11
MANY RISKS CERN, May '11
MEETING THE INTENT3 — Principles Involved • The safety lifecycle is a model for identifying the activities appropriate to safety-related systems, and it facilitates safety planning • A risk-based approach means not merely following a procedure and assuming that safety will result, but: • Identifying the risks and reducing them appropriately • Safety integrity levels (SILs) provide targets for risk reduction • The safety requirements specification defines the safety requirements necessary for risk reduction (for all EUC risks) CERN, May '11
MEETING THE INTENT3 — Principles Involved (Contd.) • Carrying out safety planning is essential to a methodical and auditable approach • Safety assessment checks for appropriateness and adequacy at all stages • Safety management is essential throughout the entire life of a system • The safety case is not mentioned in the standard CERN, May '11
VOCABULARY AND DEFINITIONS — 1 • Harm [4: 3.1.1]: Physical injury or damage to the health of people or damage to property or the environment • Risk [4: 3.1.6]: combination of the probability of occurrence of harm and the severity of that harm • Hazard [4: 3.1.2]: potential source of harm • Hazardous event [3.1.4]: Event that may result in harm • Safety [4: 3.1.11]: freedom from unacceptable risk • Tolerable risk [4: 3.1.7]: risk which is accepted in a given context based on the current values of society • Equipment under control (EUC) [4: 3.2.1] equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities CERN, May '11
VOCABULARY AND DEFINITIONS — 2 • Safety-related system [4: 3.4.1]: designated system that: • Implements the required safety functions necessary to achieve or maintain a safe state for the EUC; and • Is intended to achieve, on its own or with other safety-related systems and other risk reduction facilities, the necessary safety integrity for the required safety functions • Safety function [4: 3.5.1]: function ... intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event • Safety integrity [4: 3.5.4]: probability of a safety-related system satisfactorily performing the specified safety functions under all the stated conditions within a stated period of time CERN, May '11
STRUCTURE OF PARTS 1, 2 AND 3 Clause 1 Scope - individual to each of the 3 parts Clause 2 Normative References Clause 3 Definitions and Abbreviations - all refer to Part 4 Clause 4 Conformance to this Standard - 2 and 3 refer to 1 Clause 5 Documentation - 2 and 3 refer to 1 Clause 6 Management of Functional Safety Part 1: Contains the requirements Parts 2 and 3 refers to Part 1 and Part 3 adds ‘software configuration management’ Clause 7 Safety Lifecycle Requirements Part 1: Overall Part 2: E/E/PE systems Part 3: Software Clause 8 Functional Safety Assessment - 2 and 3 refer to 1 CERN, May '11
MAIN TECHNICAL PRINCIPLES OF IEC 61508 • The safety lifecycle: a model for structuring safety management activities throughout the life cycle of safety-related systems • A risk-based approach: basing safety-management activities on an understanding of the risks involved • Safety integrity levels (SILs): provide targets for risk reduction • Safety requirements: specified independently of functional requirements • Safety planning: ensures a methodical and auditable approach • Safety assessment: independent (third-party) check of safety (but the standard does not address the safety case) CERN, May '11
THE SAFETY LIFECYCLE • Necessary activities involved in the implementation of safety-related systems, occurring during a period of time that starts at the concept phase of a project and finishes when all of the E/E/PE safety-related systems and other risk reduction measures are no longer available for use [4: 3.7.1] • Models the whole life of a safety-related system, from conception to decommissioning • Recognises that the safety features are seldom met by a single design in a single technology • Addresses only the safety activities • In parallel with ‘functional’ development or system lifecycle models in use CERN, May '11
LIFECYCLE PHASES 1 Concept To understand the equipment under control (EUC) and its environment (physical, social, political, legislative, etc.) sufficient for performing the other safety life cycle activities Examples of questions to be asked: • What are the system-level hazards? • What legislation applies? • Is the system subject to political controversy? • What is public perception of the likely risks? • Is location affected by the risks? CERN, May '11
LIFECYCLE PHASES 2 Overall scope definition To determine the boundary of the EUC and its control system and the scope of the hazard and risk analyses to be carried out Examples of questions to be asked: • What are the physical and logical boundaries of the EUC? • Is manual operation involved in control? • What policy and management decisions will affect operation and control? • Who and what are, or might be, affected by the risks posed? CERN, May '11
LIFECYCLE PHASES 3 Hazard and risk analysis To identify the hazards of the EUC in all modes of operation, the event sequences leading to the hazards, and the EUC risks associated with the hazards (continuous through system life) [Hazard ID Hazard analysis Risk assessment] Examples of questions to be asked: • What hazards does the system pose? • What are their possible causes and consequences? • What is the likelihood of their occurrence? • What are the risks associated with each of the hazards? • Which risks should be reduced, and by how much? CERN, May '11
THE LIFECYCLE PHASES 4 Overall safety requirements To develop the overall safety requirements specification • What risks are to be reduced? • Specify requirements for risk reduction • Perhaps specify safety functions for specific risk reduction • Define safety integrity levels as well as functional reqs. • Requirements may specified in stages, with ‘high-level’ (e.g. “this risk must be reduced”) reqs. first and safety functions being defined later CERN, May '11
THE LIFECYCLE PHASES 5 Safety requirements allocation To carry out a safety design in which it is determined how each of the safety requirements is to be met. (A combination of E/E/PE systems and other risk-reduction measures may be employed.) This phase ends in an overall design, which is then interpreted, in Phases 9, 10 and 11, into detailed designs for development Example tasks: • Design safety functions to satisfy safety requirements • Derive the safety integrity level of each safety function • Allocate safety functions to safety-related systems • Derive the safety integrity levels of the proposed systems • Iterate until high-level safety requirement allocation is 'optimum' CERN, May '11
THE LIFECYCLE PHASES 6 Overall operation and maintenance planning To develop an operation and maintenance plan to ensure that the functional safety of the system is maintained during the operational phase • Implementation may depend on the adequacy of an organisation’s Safety Management System CERN, May '11
THE LIFECYCLE PHASES 7 Overall validation planning To develop a safety validation specification which defines how all the requirements in the safety requirements specification are to be validated • IEC 61508 defines this as being for E/E/PE safety-related systems only • But this is ‘overall’ validation planning, so the same principles should apply to all means of implementation of risk-reduction measures CERN, May '11
THE LIFECYCLE PHASES 8 Overall installation and commissioning planning To plan how the safety features will be installed and how their commissioning (including acceptance testing) will be carried out • What competences will be required? • What evidence will be required for safety assessment, and for inclusion in the safety case? CERN, May '11
THE LIFECYCLE PHASES 9, 10, 11 Realisation To carry out the development of the defined safety functions • The safety requirements are not necessarily met in a single technology • Means other than E/E/PE are not, formally, the subject of IEC 61508 • For E/E/PE systems: • Part 2 gives guidance on system realisation • Part 3 gives guidance on software realisation • Part 6 gives guidance on applying Parts 2 and 3 CERN, May '11
THE LIFECYCLE PHASES 12 Overall installation and commissioning To install the total combination of systems and external risk reduction facilities – as integrated parts of the total system 13 Overall safety validation To validate, in accordance with the safety validation plans, that the safety requirements have all been correctly met CERN, May '11
THE LIFECYCLE PHASES 14 Overall operation and maintenance To operate and maintain the total combination of systems and external risk reduction facilities in a manner such as to achieve and maintain the functional safety for which the total system was planned and designed • Employ the safety management system (responsibility, authority, approvals, etc.) CERN, May '11
THE LIFECYCLE PHASES 15 Overall modification and retrofit To ensure that functional safety is appropriate and adequate during, and subsequent to, changes to the system • Hazard and risk analysis should be carried out prior to change CERN, May '11
THE LIFECYCLE PHASES 16 Decommissioning and disposal To ensure that safety is maintained during the decommissioning process • Hazard and risk analysis should be carried out prior to decommissioning and disposal • Disposal can be dangerous (e.g. nuclear waste) • Careful planning and management are required CERN, May '11
SAFETY LIFECYCLE SUMMARY Understand the functional goals and design Identify the hazards Analyse the hazards Determine and assess the risks posed by the hazards Specify the risk reduction measures and their SILs Define the required safety functions (and their SILs) Carry out safety validation Operate, maintain, change, decommission, dispose safely CERN, May '11
RISKS DURING DECOMMISSIONING AND DISPOSAL • 1984 dumping of X-ray machine in Mexico • Cobalt 60 contamination • 13000 tons of steel reinforcing bars • Hundreds of houses in which the bars were used had to be demolished CERN, May '11
NOTES ON THE MODEL • The model is an overview and omits activities that are common to all lifecycle phases, for example: • Management • Documentation • Verification • Quality assurance • Safety assessment • There is a change of focus after Phase 3 • Each phase of the overall safety lifecycle shall be divided into elementary activities [1:7.1.4.4] CERN, May '11
THE SAFETY LIFECYCLE AND THE STANDARD • Forms the standard’s spine, and is used in the standard as the basis of safety planning • Is used in the standard as the basis for specifying requirements • The standard requires it to be used as the basis for demonstrating compliance to the standard CERN, May '11
HAZARD AND RISK ANALYSIS - 1 • Hazard identification • Define hazards and hazardous events of EUC and its control system for all reasonably foreseeable circumstances • Fault conditions • Reasonably foreseeable misuse • Human factors (not sufficient to confirm that normal operation is safe) CERN, May '11
HAZARD AND RISK ANALYSIS - 2 • Hazard analysis • Determine the event sequences leading to each hazardous event (but note too: hazards from interactions) • Identify the causes of hazards and assess the consequences of hazardous events • Determine the risks associated with the hazardous events • Risk assessment • Assess the risks against tolerability criteria CERN, May '11
HAZARD IDENTIFICATION • The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances [1: 7.4.2.3] • The basis of safety analysis • Requires a managed team effort • Techniques are used to facilitate (e.g. HAZOP, FMEA, FTA) CERN, May '11
HAZARD IDENTIFICATION • Although hazard identification is formally identified as taking place in Phase 3 of the safety lifecycle, it should be continuous - hazards identified in audits, by clients, in reports, via incidents, should all be recorded and analysed CERN, May '11
‘The claim that a hazard was not foreseen is not available to one who did not use foresight appropriate to his enterprise’ [Mr Justice Jackson, USA, 1953] CERN, May '11
HAZARD ANALYSIS • All identified hazards should be analysed to determine the risks that they pose • The event sequences leading to the hazardous events shall be determined [1: 7.4.2.4] • The likelihood of the hazardous events shall be evaluated [1: 7.4.2.5] • The likelihood of a specific hazardous event may be expressed quantitatively or qualitatively [1: note to 7.4.2.5] • The [potential] consequences associated with the hazardous events shall be determined [1: 7.4.2.6] CERN, May '11
EVENT SEQUENCES • In some cases the event sequence is short and direct e.g. in this simple chemical plant: If valve V1 does not close Too much of A in mixture in C Explosive mixture • But in general the progression from the most basic cause to the risk of the system-level hazardous event (accident) is one of many stages of cause and effect • and almost invariably results from a combination of circumstances CERN, May '11
A BOTTOM-UP VIEW CERN, May '11